CCIE Security
Overview
Required Evaluations
Security Qualification Exam
Format
Blueprint
Recommended Reading
Security Lab Exam
Format
IOS Versions
Equipment List
Suggested Training Courses
Recertification
For More Information
Overview
The CCIE Security exam covers IP and IP routing as well as specific security components. It is recommended that you read the section on Preparing for your CCIE Exam before reading this page. You can also find information on test policies in the Policies Section.
Required Evaluations
The two requirements to become a CCIE are a passing grade on the Security qualification exam and a passing grade on the Security lab exam . The qualification exam is a prerequisite for attempting and scheduling the lab exam.
Security Qualification Exam
Format
The two-hour, multiple choice exam is computerized and administered at Cisco authorized testing centers. The exam is closed book and contains 100 questions. No reference materials are allowed in the exam room. Find out more about scheduling your Security Qualification exam (#350-018) and an authorized testing center near you.
Blueprint
Please see the Security Blueprint for details.
Recommended Reading
Cisco Network Security (Cisco Press)
Cisco IOS Dial Solutions (Cisco Press)
Enhanced IP Services for Cisco Networks (Cisco Press)
Cisco Internetwork Troubleshooting (Cisco Press)
Designing Network Security (Cisco Press)
Internetworking Troubleshooting Handbook (Cisco Press)
Top Down Network Design (Cisco Press)
Building Cisco Remote Access Networks (Cisco Press)
MPLS and VPN Architectures (Cisco Press)
IPSec : The New Security Standard for the Internet, Intranets, and Virtual Private Networks (Doraswamy/Harkins, Prentice Hall)
Digital Certificates : Applied Internet Security (Feghhi/Williams, Addison Wesley)
Big Book of IPsec RFCs : Internet Security Architecture (Loshin, Morgan Kaufmann Publishers Inc.)
Internet Security Protocols : Protecting IP Traffic (Black, Prentice Hall)
Firewalls and Internet Security : Repelling the Wily Hacker (Cheswick/Bellovin, Addison-Wesley Professional Computing)
Maximum Security : A Hacker's Guide to Protecting Your Internet Site and Network with CD ROM (Anonymous, Sams)
Inside Internet Security : What Hackers Don't Want You to Know (Crume, Addison-Wesley)
Internet and TCP / IP Network Security : Securing Protocols and Applications (Pabrai/Gurbani, McGraw Hill)
Internet Cryptography (Smith, Addison Wesley)
Network Security: Private Communication in a Public World (Kaufman/Perlman/Spenciner, Prentice Hall)
Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition (Schneier, John Wiley & Sons)
Strategies to Protect Against Distributed Denial of Service
Characterizing and Tracing Packet Floods Using Cisco Routers
Defining Strategies to Protect Against UDP Diagnostic Port Denial of Service Attacks
Strategies to Protect Against TCP SYN Denial of Service Attacks
Security Lab Exam
Format
The Security Lab exam physical rack layout is similar to the Routing & Switching exam with the exception of a few equipment additions: the pix and security server. Server applications are listed below. Because this is a CCIE lab, candidates should expect to be tested on core ip routing and switching as well as specific security components. There are no desktop protocols, ie. IPX, DLSW etc. Security topics that may be tested are listed in the Security exam blueprint. Candidates may refer to the Routing & Switching exam blueprint for information for more specifics on IP routing and switching test content.
The CCIE candidate will be presented with a complex design to implement from the physical layer up. Candidates are not required to configure any end-user systems, but are responsible for any device residing in the internetwork, including hubs, etc. Network specifics, point values and testing criteria used to assess correctness of the individual configurations are provided.
Each configuration scenario and problem has pre-assigned point values. The candidate must obtain a minimum mark of 80% to pass. Find out more about scheduling your CCIE lab exam and testing sites near you.
IOS Versions
IOS Features up to and including version 12.0 will be tested on the exam until November 14, 2001. IOS "T" trains will be used to provide security specific IPSEC/IOS Firewall features.
To keep pace with the evolution of new technologies in the industry, all CCIE labs worldwide will change to IOS version 12.1, effective November 15, 2001 . Specific features new to IOS version 12.1 can appear on CCIE lab exams starting on this date.
Equipment List
Candidates make inquiries wanting to know the specific Security Applications or specific Servers. It is important to bear in mind that the Security Lab utilizes various servers based upon the version of exam the candidate encounters. Any device used in the lab, outside of the Cisco Router and Switch types listed below are pre-configured. Although a Security Lab exam may interact with one or more of these applications, every effort is made to keep candidate's focus on the routers and switches not on servers. Candidates should dedicate their study to a knowledge of how Cisco Routers and Switches interact with various servers, and the configuration of those routers and switches. Therefore, please consider the equipment list provided as sufficient for the purposes of lab preparation.
2500 series routers
2600 series routers
3600 series routers
4000 and 4500 series routers
3900 series token ring switches
Catalyst 5000 series switches
PIX - running Pix software version 5.2
Services / Applications
Certificate Authority Support
Cisco Secure Access Control System
Cisco Secure Intrusion Detection System
Suggested Training Courses
Cisco Training Classes are RECOMMENDED, and are NOT REQUIRED for completion of the CCIE Program. For more information on these Cisco training classes and our training partners, go to the Cisco Training page. Here is the list of classes we recommend for the CCIE Security certification:
TRN-MCNS-Managing Cisco Network Security
TRN-CSIDS-Cisco Secure Intrusion Detection System
TRN-CSPFF -Cisco Secure PIX Firewall Fundamentals
TRN-CSVPN-Cisco Secure Virtual Private Network
TRN-CSPFA -Cisco Secure PIX Firewall Advanced
TRN-BCRAN-Building Cisco Remote Access Networks
Recertification
All CCIE professionals are required to recertify. For further information please read the recertification section.
For More Information
If you need more information on the Security exam, or the CCIE program in general, contact the CCIE Program Coordinator for your region:
North and South America: ccie_ucsa@cisco.com
Europe, Middle East and Africa: ccie_emea@cisco.com
Asia and the Pacific Rim: ccie_apt@cisco.com
